Re: Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

Wed, 02 Aug 2017 11:03:00 -0700 

On Wed, Aug 02, 2017 at 08:30:21AM -0700, robg...@nospammail.net wrote:

> SHA1 cert signing is (being) deprecated

By the CAs, so you don't need to take any action.  With all the
trusted CAs no longer issuing SHA-1 certs, pretty soon all the
extant SHA-1 certs will expire, and there'll be nothing to
enforce.

> So SHA1-signed certs < BAD!

Don't panic.  SHA-1 has been tarnished and is being phased out,
but there are no practical near-term attacks on X.509.  The the
browsers and CAs are driving it out of the ecosystem early,
which is a good idea, but there's no need for SMTP MTAs to
be part of the police squad deporting SHA-1.

> I don't *think* it does.  And I don't find anything that says it does.  Or 
> doesn't , as far as that goes.
> 
> In my postfix logs, I still see use of
> 
>           0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  
> Enc=AES(256)  Mac=SHA1
>           0xC0,0x19 - AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None 
> Enc=AES(256)  Mac=SHA1
>           0xC0,0x14 - ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  
> Enc=AES(256)  Mac=SHA1
>           0x00,0x3A - ADH-AES256-SHA          SSLv3 Kx=DH       Au=None 
> Enc=AES(256)  Mac=SHA1
>           0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  
> Enc=AES(256)  Mac=SHA1
>           0xC0,0x0A - ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA 
> Enc=AES(256)  Mac=SHA1

This is SHA-1 as a keyed MAC for TLS message integrity, not SHA-1
in certificates.  No better MAC is available for TLS 1.0 and 1.1,
for SHA2 ciphersuites you need TLS 1.2, which has not yet driven
out its predecessors.  SHA-1 as a keyed MAC (HMAC IIRC) is not
believed vulnerable to collision attacks.

> And in the HIGH + MEDIUM cipherlist I use in postfix,
> 
>   openssl ciphers -V 'HIGH:MEDIUM:' | grep SHA1 | wc -l
>     40
> 
> there's still 40 ciphers with Mac=SHA1.
> 
> Just wanted to verify if the problem is just with cert-signing, or a more
> general useage of SHA1 in any way, in the content of Postfix.

If there were a real problem, the onus to deprecate the weak code
points would be on OpenSSL and to some extent Postfix.  As a user
you really should not be working so hard to optimize for security.

Indeed such efforts are often counterproductive.  If you're doing
opportunistic TLS, then TLS gives you the strongest mutually
supported ciphersuite.  Some security is better than none, if
you exclude weaker, but still widely best-available ciphers then
you get cleartext delivery instead.

    https://tools.ietf.org/html/rfc7435

-- 
        Viktor.

Reply via email to